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Abstract. A modified realisability interpretation of infinitary logic is formalised and 
proved sound in constructive type theory (CTT). The logic considered subsumes first 
order logic. The interpretation makes it possible to extract programs with simplified types 
and to incorporate and reason about them in CTT. 



1. Modified realisability 

Modified realisability interpretation is a well-known method for giving constructive in- 
terpretation of some intuitionistic logical system into a simple type structure |Tro73j . The 
method is used, for instance, in Minlog and Coq for extracting programs from proofs (cf. 
|Sch04| and |Let04p . These programs are to a large extent free from the computation- 
ally irrelevant parts that might be present in programs arising from direct interpretations 
into constructive type theory. The realisability interpretation requires a separate proof of 
correctness, which is usually left unformalised. 

In this note we present a completely formalised modified realisability interpretation 
carried out in the proof support system Agda CoqOO . We shall here use what is called 



modified realisability with truth which has the property that anything realised is also true 
in the system (Theorem ll.2[l . One difference from usual interpretations as in Minlog is 
that the logic interpreted goes beyond first order logic: it is a (constructively) infinitary 
logic, which arises naturally from the type-theoretic notion of universe. Our extension to 
infinitary logic seems to be a novel result. 

Agda is based on Martin-L6f constructive type theory |ML98j with an infinite hierarchy 
of universes #0 = Set, #1 = Type, #2 = Kind, #3, .... Each of these universes is closed 
under the formation of generalised inductive data types. We define in Agda an inductive 
type SP of propositions, so called simple propositions, by induction: for each small type 
A (i.e. a member of Set) an atomic proposition atom (^4) : SP is introduced; SP contains 
_!_ and is closed under propositional connectives (A, V, — >) and for any small type A and 
any propositional function P : A — > SP the quantified propositions V(A,P) and 3(A,P) 
belong to SP. There is an obvious homomorphic embedding Tp of SP into the small types 
defined by Tp(J_) = 0, Tp(atom(A)) = A, Jp(P V Q) = Tp(P) + Tp(Q), Tp(P A Q) = 
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Tp(P) x Tp(Q), Tp(P -> Q) = Tp(P) Tp(Q), Tp(V(A,P)) = (Hx : A)Tp(P(x)) and 
Tp(3(A,P)) = (Ex : ^)Tp(P(x)). We shall sometimes write (Vx : A)P(x) for V(A, P) etc. 

The simple propositions may be realised by terms from a simplified type structure. All 
atomic propositions will be realised by the unique element elt of the unit type Un. Define 
another homomorphism Cr (for crude type) from SP to small types by letting 

Cr(J_) = Un 

Cr(atom(A)) = Un 

Cr(PAQ) = Cr(P)xCr(Q) 

Cr(PvQ) = Cr(P) + Cr(Q) 

Cr(P^Q) = Cr(P)^Cr(Q) 

Cr(V(A,P)) = (Tlx : A)Cr(P(x)) 

Cr(3(A,P)) = (Ex : A)Cr(P(x)). 



The only difference from Tp is thus in the translation of absurdity and atoms. We note that 
a crude type may still be a dependent type, if the simple proposition is truly infinitary. For 
example, this is the case with Cr(3(A,P)), if A = N and P(0) = T, P(S(n)) = Q(n)AP(n). 

Another variant of the crude type map Cr' will be employed in Theorem 11.71 below, 
which is defined as Cr, except that 

Cr'(3(A,P)) = Un + (Sx : A)Cr'(P(x)). 

The unit type appearing in the disjoint sum ensures that the type is never empty, which is 
crucial for interpreting the full absurdity axiom. 

The modified realisability MR(5,r) of a simple proposition S : SP by an element of 
crude type r : Cr(5) is defined as a small proposition (or small type) by the following 
recursion on S. (We use the identification of propositions and types for small types, so that 
A and V are used interchangeably with x and +, respectively.) 



MR(_L,r 
MR(atom(P),r 
MR(A AB,r 
MR(A V B, inl(s) 
MR(A V B, inr(t) 
MR(A -» B,r 

MR(V(i,F),r 
MR(3(A,P),r 



_L 
P 

MR(i,r.l) A MR(P,r.2) 

MR(A,s) 

MR(P,t) 

(Tp(A) -> Tp(P)) 

A (Us : Cr(A))(MR(A,s) 

(Ux : A)MR(P(x),r(x)) 

MR(P(r.l),r.2). 



MR(B,r(s))) 



Here r.l and r.2 denote the first and second projections. 

Remark 1.1. The above constructions work in many different type-theoretic settings. 
What is needed is a type universe U closed under II, S, + and containing basic types 
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Un and 0. Moreover the inductive construction SPu is should be made relative to U instead 



The following correctness, or conservativity, result states that each simple proposition, 
which is realised, is also true in the standard interpretation. 

Theorem 1.2. For any S : SP and r : Cr(S), if MR(5,r) then Tp(S). 

Proof. The proof goes by induction on S. For S = _L or S = atom (A) the result is immediate. 
For S = A — > B we took care to define realisability so that this is direct as well. Here are 
two examples of the inductive step. 

Suppose MR(^4 V-B, r). If r = inl(s), then MR(A, s) is true. By the inductive hypothesis, 
we get Tp(^4) and hence also Tp(yl V B). The argument for r = inr(i) is similar. 

Assume MR(V(A,P),r). Let a 6 A. Then MR(P(a),r(a)), and so by the inductive 
hypothesis Tp(P(a)). Since a was arbitrary we have actually Tp(V(A, P)). □ 

As a corollary there is an extraction theorem for V3-formulae: 

Corollary 1.3. For small types A and B and a simple proposition P(x,y) where x : A and 
y : B, let 



IfMR(S, r) for some r, then there is some f : A — > B such that Tp(P(x, f(x))) for all x : A. 

Thereby the program / extracted also satisfies its specification Tp(P(x, f(x))) within 
type theory. For P(x,y) = atom(i?(x, y)) this is equivalent to R(x, f(x)). 

Remark 1.4. Note the difference in the V-case from usual interpretations, which go from 
theories to theories |Tro73j . It is not required that Tp(II(^4, P)) is added to the condition, 
since this follows from the correctness theorem in the present internalised version. 

We present an intuitionistic infinitary prepositional logic IPC^ in type theory in which 
quantifiers are understood as infinitary versions of conjunction and disjunction. The system 
has a restriction on the absurdity axiom to atomic formulae. 




S = (Vx:A)(3y : B)P(x,y). 



Ah A 



Ah B BhC 
AhC 



A h atom(P), for any inhabited P 



A AB h A 



A AB h B 



Ch A Ch B 
Ch AAB 



_L h atom(P) 



Ah A\/ B 



Bh AW B 



AhC BhC 
AvBhC 



AABhC 
A h B -> C 



A h B -> C 
AABhC 



A h P(t) (t : S) 
A h V(S, P) 



A h V(5, P) t:S 

A h P(t) 
3(5, P)h A t:S 

P(t) h A 



P{t) h A (t:S) 
3(S, P)h A 
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Remark 1.5. Note in particular that the existential quantifier is of the weak kind, as in 
first order logic. For S = each 3(S", P) works as absurdity constant. However, if we wish to 
avoid empty sets as types of realisers, the restricted absurdity axiom _L h atom(P) should be 
used. The full absurdity rule can be derived from the restricted one, for those propositions 
which do not include quantification over empty sets. By this procedure we can in principle 
extract simply typed programs as in Minlog. 

We say that a sequent Ah B is MR-realised, if there is some r such that MR(^4 — > B, r) 
is true. A rule is realised if whenever all the sequents above the rule bar are realised, then 
so is the sequent below the bar. 

Theorem 1.6. The axioms and rules of the system IPC^ are MR-realised. 
To strengthen the weak absurdity axiom to the full axiom 

lhA 

where A : SP may be arbitrary, we use the crude type map Cr' instead and introduce MR'. 
This is defined recursively as MR apart from the case for the existential quantifier: 

MR'(3(S,P),inl(s)) = 1 
MR'(3(5,P),inr(t)) = MR'(P(t.l), t.2). 

Theorem 11.21 and Corollary 11.31 now go through with MR' and Cr' in place of MR and 

Cr. 

The proof of soundness of the logical rules and axioms is similar as for Theorem 11.61 
with the exception for the verification of the absurdity rule, and the left existential rule. 
This requires a special device. Namely a function which to each P : SP assigns an element, 
called element(P), of Cr (P) is necessary. This function is defined straightforwardly by 
recursion on P. Some key clauses are 

element(3(AP)) = inl(elt) 
element(V(A P)) = Ax.element(P(x)) 
element(yl V B) = inl(element(A)). 

Observe that no such element need to exist when employing the first definition of Cr, e.g. 
in the case Cr(3(0,P)) = (Ex : 0)Cr(P(x)). 

Theorem 1.7. The axioms and rules of the full system IPCoo (IPC^ and the full absurdity 
axiom) are MR' -realised. 

We mention some useful mathematical axioms that are realisable: 

Lemma 1.8. For each propositional function P : N — > SP the induction scheme 

P(0) A (Vx : N)[P(x) -> P(S(x))] -> (Vx : N)P(x) 

is both MR-realised and MR' -realised. 
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Lemma 1.9. For any binary propositional function P : A x B — > SP the type-theoretic 
choice principle 

(Vx : A)(3y : B)P{x,y) -> (3g : A -> B)(Vx : A)P(x,y(x)) 
is MR-rea/isa6/e. In case I? is inhabited, the principle is MR' -realisable as well. 

Proof. The non-trivial part is to prove the second statement. Suppose 60 : B and r : Cr'(S) 
and p : MR'(S,r), where S = (Vx : A){3y : B) P(x,y). Define an auxiliary operation 
f(x,w) : (Sy : B)Cr'(P(x,y)) where x : A and u; : Cr'((3y : B)P(x,y)), by cases 

/(x,inl(n)) = (6o,element(P(x, 6q))) 
/(x,inr(y)) = y. 
The realiser for the implication is now given by 

k(r) = (Ax./(x, r(x)).l, Ax./(x, r(x)).2) 
To prove it is a realiser, use _L-elimination for the case r(x) = inl(ii). □ 

The following result is often useful to verify realisability. 
Lemma 1.10. If the T p-translation of the proposition 

(Vxi : At) ■■■ (Vx n : A n )[Q(xi, ...,x n )-> P(xi, . . . ,x n )] 
is true and P is atomic or _L, then the proposition is MR-realised as well as MR' -realised. 

Proof. The realising function is trivial for such a proposition: (Axi) • • • (Ax n )(Ar)elt. The- 
orem 11.21 a special property of modified realisability with truth, is necessary here. □ 

Many stronger "transfer principles" are possible to establish. See |BBS02| for further 
results and references. 

2. An Example 

We test the formalisation and extraction procedure on a simple example, which is due to 
Berger and Schwichtenberg. The extracted function computes Fibonacci numbers efficiently 
by "memoization." 

A binary predicate G on natural numbers is given. From the axioms 
(Axl) G(0,0) 
(Ax2) G(l,l) 

(Ax3) (ym,k,£)[G(m,k) AG(S(m),£) -» G(S(S(m)),k + £)]. 
one derives by induction and intuitionistic logic the proposition 

(p) (y x )(3k,e)G(x,k) ag{s{x),£). 

Thus there is some realiser / so that 

MR(Axl&Ax2&Ax3 h P, /). 

The extracted program p (which is f ib_prog in the Appendix) for computing the Fibonacci 
sequence is then given by 

p(x) = f(nc, x).l 

where nc (nocontent in the Appendix) is the trivial realiser for Axl & Ax2 & Ax3. After a 
normalisation process one gets the program: 
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p X = 

(case x of { 

(zero) -> t; 

(succ x') -> h x' g (rec 

(\(z: :Nat) -> C) 

x' 

t 

(\(x"::Nat) -> \(y: :C) -> h x" g y));}).l 

where 

C = Sigma Nat (\(k: :Nat) -> Sigma Nat (\(l::Nat) -> Unit)) 
h v p q = <q. 2. 1 ; 

<case q.2.1 of {(zero) -> q.l; 

(succ u) -> succ (q.l + u) ; 

} 

;<q.2.2.2; e»> 
t = <zero; <succ zero; <e;e»> 
g = \(x,y,z: :Nat) -> \(h,j::Unit) -> e 
e = elt@_ 

Remark 2.1. Note that all truly dependent types have disappeared. The type C is really 
the type N x (N x Un). 

The normalised program has been computed using the partial normalisation procedure 
of Agda on selected subexpressions, and was thus not completely automatic. We also intro- 
duced the abbreviations C, h, t, g, e by hand. Some syntactical sugar for lambda expressions 
and pairs is added. 

3. The formalisation 

The formalisation have been carried out in Agda/IAgda (version 2003-08-09) with the 
aid of the graphical user interface Alfa. The relevant files are available at the URL 

www.math.uu. se/~palmgren/modif 
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